Privacy Policy

Last updated: April 9, 2026

Orzo ("we," "us," or "our") operates the Orzo mobile application and the website at getorzo.com. This Privacy Policy explains how we collect, use, and protect your personal information when you use our services.

1. Information We Collect

When you join our waitlist:

• Email address

When you create an account:

• Email address
• Display name (optional)
• Authentication provider information (Apple ID, Google account, or email/password)

When you use the app:

• Recipe content you create or import (titles, ingredients, steps, notes, ratings)
• Images you upload (cookbook photos, recipe hero images)
• Collections and organizational data

Automatically collected:

• Device type and operating system version
• IP address (for security and rate limiting)
• Session information (for authentication)

2. How We Use Your Information

• To provide the recipe digitization and management service
• To authenticate your identity and secure your account
• To send launch notifications if you joined our waitlist
• To improve the app and fix bugs
• To enforce our Terms of Service and prevent abuse

3. How We Process Your Recipes

When you import a recipe via photo or URL, the content is sent to our server for processing. Images of cookbook pages and recipe text are sent to OpenAI's API for AI-powered parsing. This processing is necessary to extract structured recipe data. We do not use your recipe content to train AI models. OpenAI's data usage policies apply to content processed through their API.

4. Third-Party Services

We use the following third-party services to operate Orzo:

• Supabase — authentication, database hosting, and file storage
• OpenAI — AI-powered recipe image and text parsing
• Apple Sign-In / Google Sign-In — optional authentication providers
• Klaviyo — waitlist email management
• Railway — API server hosting
• Cloudflare — DNS, CDN, and website hosting
• Google Analytics — anonymous website usage analytics

Each service processes data according to their own privacy policies. We only share the minimum data necessary for each service to function.

5. Data Storage and Security

• Your data is stored in a PostgreSQL database with Row Level Security (RLS) ensuring users can only access their own data
• Images are stored in private storage buckets with time-limited signed URLs
• All connections are encrypted via TLS/SSL
• Passwords are hashed using industry-standard algorithms (bcrypt)
• TOTP-based multi-factor authentication (MFA) is available for additional account security
• API endpoints are rate-limited to prevent abuse

6. Data Retention

• Waitlist emails: retained until you unsubscribe or we remove the waitlist
• Account data: retained until you delete your account
• Account deletion: when you delete your account, your data enters a 30-day soft-delete period during which you can recover it. After 30 days, all data is permanently and irreversibly deleted

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Correction: request that we correct inaccurate data
• Deletion: request that we delete your data (available in-app via account deletion)
• Portability: request your data in a portable format
• Withdrawal of consent: unsubscribe from marketing emails at any time

To exercise any of these rights, contact us at hello@getorzo.com.

8. Cookies and Tracking

Our website at getorzo.com uses Google Analytics to understand how visitors interact with our site. Google Analytics collects anonymous usage data such as pages visited, time on site, and traffic source. This data helps us improve the site and understand how people find Orzo. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. The Orzo mobile app uses secure device-local storage (iOS Keychain) for session management, not cookies.

9. Children's Privacy

Orzo is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, through in-app notification or email.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

hello@getorzo.com